As part of our standard due diligence when introducing new software to our organization, we need answers to some general questions around SonarQube’s security controls.
- Version: SonarQube 8.9
- Goal: Evaluate security risk of adopting SonarQube
- Tried: Had email conversations with account representative and scoured online documentation
Questions:
-
Do you have an Information Security Management program in place? We ask this to confirm your organization defines and implement general security practices
-
Do you have a business continuity and disaster recovery plan? We ask this to assess the risk of us ending up with a discontinued product
-
Do you have a vulnerability management program in place for your applications? We ask this to assess the likelihood of us using a product containing security vulnerabilities.
-
Do you hire a third party to perform external Penetration testing? If so, how often are these tests performed? We ask this to assess the security of your product
-
Does your organization perform annual risk or security assessments? We ask this to get greater confidence in your organization’s general security practices
-
Do you have a patch management process for your solution? We ask this to assess the difficulty/ease of upgrading to versions with fixes to newly discovered security vulnerabilities